Please, please turn off register_globals, and other PHP security no-brainers

PHPWoe is the PHP hosting provider that thinks leaving register_globals on is a good thing. At lunch today, the PICnet gang was chatting about security vulnerabilities that were occuring in many Joomla 3rd party components. The problem is that our wonderful Joomla core was taking flack for not being secure, but at the end of the day all the hacks seemed to be occuring because of poor programming and server hosts leaving on the dreaded “register_globals” on their servers.

I mean, this is PHP hosting 101, right?

Unfortunately, one of our great clients had a server that had register_globals turned on, and the hacker took full advantage. Moral of the story, please, please, check to make sure that register_globals is turned off. If your hosting provider has it turned on, turn and run the other way.

Now, to take this to the next step, Johannes Ullrich over at the Internet Storm Center wrote his Tip of the Day on PHP security today. Read more for some excerpts of how you can protect your code.

Nonprofit news, strategy, and tactics sent straight to your inbox
Sign up for the Soapbox Engage newsletter

This entry was posted on Tuesday, August 22nd, 2006 at 11:44 pm and is filed under Joomla, PHP, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.